Flow Tools

Flow Tools

I've got a problem and I'm hoping OBSD may be able to solve my problem.

We bought new firewalls in 2017, but they can only send flow traffic to a single destination. We need to send flow traffic to 3 destinations.

I have a copy of Michael Lucas' book Network Flow Analysis, and I've been reading about flow-tools and flowd. Unfortunately there doesn't seem to have been a lot of development on these tools since 2010.

Are there any other tools that I may have missed that would help me solve my problem?

Re: Flow Tools

On 03/13/18 16:39, Paul Ammann wrote:
> I've got a problem and I'm hoping OBSD may be able to solve my problem.
>
> We bought new firewalls in 2017, but they can only send flow traffic to a single destination. We need to send flow traffic to 3 destinations.

How do you generate the flows?

pflow(4) or some other method?

> I have a copy of Michael Lucas' book Network Flow Analysis, and I've been reading about flow-tools and flowd. Unfortunately there doesn't seem to have been a lot of development on these tools since 2010.
>
> Are there any other tools that I may have missed that would help me solve my problem?

I had to check by configuring a second pflow interface on my home
gateway here, and it seems you can indeed have more than one pflow
interface (the other option that comes to mind is some fairly specific
rules for your netflow data with dup-to, but that may be pushing the
number of hoops to jump through too far).

Re: Flow Tools

Paul ...
You could look at pmacct by Paulo Lucende he is a cool guy...
It has multiple flow aggregation and translation capabilities ...
I dont think it is in ports yet... id like to get off my ass and do it some
day as i think it is awesome ...

> Hi
>
> I've got a problem and I'm hoping OBSD may be able to solve my problem.
>
> We bought new firewalls in 2017, but they can only send flow traffic to a
> single destination. We need to send flow traffic to 3 destinations.
>
> I have a copy of Michael Lucas' book Network Flow Analysis, and I've been
> reading about flow-tools and flowd. Unfortunately there doesn't seem to
> have been a lot of development on these tools since 2010.
>
> Are there any other tools that I may have missed that would help me solve
> my problem?
>
> Thank you in advanced.
>
> Paul
>
>

Re: Flow Tools

On 03/13/18 17:44, Tom Smyth wrote:
> Paul ...
> You could look at pmacct by Paulo Lucende he is a cool guy...
> It has multiple flow aggregation and translation capabilities ...
> I dont think it is in ports yet... id like to get off my ass and do it some
> day as i think it is awesome ...

Re: Flow Tools

> On 03/13/18 17:44, Tom Smyth wrote:
>> Paul ...
>> You could look at pmacct by Paulo Lucende he is a cool guy...
>> It has multiple flow aggregation and translation capabilities ...
>> I dont think it is in ports yet... id like to get off my ass and do it some
>> day as i think it is awesome ...
>
> pmacct is in ports - http://openports.se/net/pmacct so likely
> straightforward to get started
>
> - P
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/http://www.bsdly.net/http://www.nuug.no/> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>

--
Kindest regards,
Tom Smyth

Mobile: +353 87 6193172
The information contained in this E-mail is intended only for the
confidential use of the named recipient. If the reader of this message
is not the intended recipient or the person responsible for
delivering it to the recipient, you are hereby notified that you have
received this communication in error and that any review,
dissemination or copying of this communication is strictly prohibited.
If you have received this in error, please notify the sender
immediately by telephone at the number above and erase the message
You are requested to carry out your own virus check before
opening any attachment.

Re: Flow Tools

> Hi
>
> I've got a problem and I'm hoping OBSD may be able to solve my problem.
>
> We bought new firewalls in 2017, but they can only send flow traffic to a single destination. We need to send flow traffic to 3 destinations.
>
> I have a copy of Michael Lucas' book Network Flow Analysis, and I've been reading about flow-tools and flowd. Unfortunately there doesn't seem to have been a lot of development on these tools since 2010.
>
> Are there any other tools that I may have missed that would help me solve my problem?
>
> Thank you in advanced.
>
> Paul
>
>
>

Re: Flow Tools

Sorry, if I hijack the thread, but what do you guys use for netflow
analysis?
Only know nfsen in ports, but sometimes I need more versatile tool.

On 13.03.18 20:35, Diana Eichert wrote:

> I've been using samplicator to fanout UDP flow data for years.
>
> https://github.com/sleinen/samplicator>
> diana
>
>
> On Tue, 13 Mar 2018, Paul Ammann wrote:
>
>> Hi
>>
>> I've got a problem and I'm hoping OBSD may be able to solve my problem.
>>
>> We bought new firewalls in 2017, but they can only send flow traffic
>> to a single destination. We need to send flow traffic to 3 destinations.
>>
>> I have a copy of Michael Lucas' book Network Flow Analysis, and I've
>> been reading about flow-tools and flowd. Unfortunately there doesn't
>> seem to have been a lot of development on these tools since 2010.
>>
>> Are there any other tools that I may have missed that would help me
>> solve my problem?
>>
>> Thank you in advanced.
>>
>> Paul
>>
>>
>>
>

Re: Flow Tools

On Wed, 14 Mar 2018, at 9:06 AM, Gregory Edigarov wrote:
> Sorry, if I hijack the thread, but what do you guys use for netflow
> analysis?
> Only know nfsen in ports, but sometimes I need more versatile tool.
>

Re: Flow Tools

On Wed, Mar 14, 2018 at 3:06 AM, Gregory Edigarov <[hidden email]> wrote:
> Sorry, if I hijack the thread, but what do you guys use for netflow
> analysis?
> Only know nfsen in ports, but sometimes I need more versatile tool.

nfdump is rather powerful if you don't need a pretty GUI; it's like
tcpdump, but for NetFlow/IPFIX data. I have it scripted to produce
regular reports, but also run it ad hoc.

Re: Flow Tools

I 2nd nfdump, then again I like tcpdump too ;-)

On Wed, 14 Mar 2018, Daniel Melameth wrote:

> On Wed, Mar 14, 2018 at 3:06 AM, Gregory Edigarov <[hidden email]> wrote:
>> Sorry, if I hijack the thread, but what do you guys use for netflow
>> analysis?
>> Only know nfsen in ports, but sometimes I need more versatile tool.
>
> nfdump is rather powerful if you don't need a pretty GUI; it's like
> tcpdump, but for NetFlow/IPFIX data. I have it scripted to produce
> regular reports, but also run it ad hoc.
>
>
>

Re: Flow Tools

On 2018-03-16, Michael Price <[hidden email]> wrote:
> It seems nfdump in ports is a bit behind the latest version though. 1.6.15
> in particular fixed a few security issues in nfcapd.
>
> Is sthen still the contact person for the port? I suppose I could submit a
> patch.

Oh, it moved so portroach no longer picks it up. Can you try this diff please?

>
> So long as you're on IPv4, flow-tools-ng is pretty decent. They
> haven't been updated because they work well enough. Not grand, but
> okay.
>
> And thanks for buying my book!
>
> ==ml
>
> On Tue, Mar 13, 2018 at 11:39:52AM -0400, Paul Ammann wrote:
> > Hi
> >
> > I've got a problem and I'm hoping OBSD may be able to solve my problem.
> >
> > We bought new firewalls in 2017, but they can only send flow traffic to a single destination. We need to send flow traffic to 3 destinations.
> >
> > I have a copy of Michael Lucas' book Network Flow Analysis, and I've been reading about flow-tools and flowd. Unfortunately there doesn't seem to have been a lot of development on these tools since 2010.
> >
> > Are there any other tools that I may have missed that would help me solve my problem?
> >
> > Thank you in advanced.
> >
> > Paul
>
> --
> Michael W. Lucas https://mwl.io/> nonfiction: https://www.michaelwlucas.com/> fiction: https://www.michaelwarrenlucas.com/